On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users 
wrote:
> Hello everyone,
> 
> I’m new to this and are trying to setup a working trust against an AD 
> forrest, I seem to have a working trust but when I try to reference external 
> groups (or users) I get:
> 
> # ipa group-add-member ad_users_external --external "AD2\Domain Users"
> [member user]:
> [member group]:
>   Group name: ad_users_external
>   Description: AD users external map
>   Failed members:
>     member user:
>     member group: AD2\Domain Users: trusted domain object not found
> -------------------------
> Number of members added 0
> -------------------------

I think the lookup goes eventually from the ipa command line framework
to SSSD, does lookup through the usual SSSD channels (getent passwd
username@domain) work?

> 
> I enable some logging and last in the mail is the output there from the 
> command above, any suggestions what could cause this? Current version of IPA 
> is 4.5.
> 
> Regards
> Henrik
> 
> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 
> 192.168.6.82:34714] failed to set perms (3140) on file 
> (/var/run/ipa/ccaches/ad...@idm.test.net)!, referer: 
> https://ipaserver.idm.test.net/ipa/xml
> string_to_sid: SID AD2\Domain Users is not in a valid format

btw did you try also a lookup of a name qualified with the full AD domain
name (i.e. username@ad.domain instead of ad\\username)? I wonder if just
the flatname is acting up..

> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
> Processing section "[global]"
> INFO: Current debug levels:
>   all: 11
>   tdb: 11
>   printdrivers: 11
>   lanman: 11
>   smb: 11
>   rpc_parse: 11
>   rpc_srv: 11
>   rpc_cli: 11
>   passdb: 11
>   sam: 11
>   auth: 11
>   winbind: 11
>   vfs: 11
>   idmap: 11
>   quota: 11
>   acls: 11
>   locking: 11
>   msdfs: 11
>   dmapi: 11
>   registry: 11
>   scavenger: 11
>   dns: 11
>   ldb: 11
>   tevent: 11
> pm_process() returned Yes
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> finddcs: searching for a DC by DNS domain ad2.test.net
> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
> resolve_lmhosts: Attempting lmhosts lookup for name 
> _ldap._tcp.ad2.test.net<0x0>
> getlmhostsent: lmhost entry: 127.0.0.1 localhost
> ads_dns_lookup_srv: 2 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver
> finddcs: DNS SRV response 0 at '192.168.5.158'
> finddcs: DNS SRV response 1 at '192.168.5.104'
> finddcs: performing CLDAP query on 192.168.5.158
>      &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
>         command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
>         sbz                      : 0x0000 (0)
>         server_type              : 0x0001f1fc (127484)
>                0: NBT_SERVER_PDC
>                1: NBT_SERVER_GC
>                1: NBT_SERVER_LDAP
>                1: NBT_SERVER_DS
>                1: NBT_SERVER_KDC
>                1: NBT_SERVER_TIMESERV
>                1: NBT_SERVER_CLOSEST
>                1: NBT_SERVER_WRITABLE
>                0: NBT_SERVER_GOOD_TIMESERV
>                0: NBT_SERVER_NDNC
>                0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
>                1: NBT_SERVER_FULL_SECRET_DOMAIN_6
>                1: NBT_SERVER_ADS_WEB_SERVICE
>                1: NBT_SERVER_DS_8
>                0: NBT_SERVER_HAS_DNS_NAME
>                0: NBT_SERVER_IS_DEFAULT_NC
>                0: NBT_SERVER_FOREST_ROOT
>         domain_uuid              : 63c3a477-85f9-5f01-96e8-2597a5c48978
>         forest                   : 'ad2.test.net'
>         dns_domain               : 'ad2.test.net'
>         pdc_dns_name             : 'adserver.ad2.test.net'
>         domain_name              : 'AD2'
>         pdc_name                 : 'adserver'
>         user_name                : ''
>         server_site              : 'AS001'
>         client_site              : 'AS002'
>         sockaddr_size            : 0x00 (0)
>         sockaddr: struct nbt_sockaddr
>             sockaddr_family          : 0x00000000 (0)
>             pdc_ip                   : (null)
>             remaining                : DATA_BLOB length=0
>         next_closest_site        : NULL
>         nt_version               : 0x00000005 (5)
>                1: NETLOGON_NT_VERSION_1
>                0: NETLOGON_NT_VERSION_5
>                1: NETLOGON_NT_VERSION_5EX
>                0: NETLOGON_NT_VERSION_5EX_WITH_IP
>                0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
>                0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
>                0: NETLOGON_NT_VERSION_PDC
>                0: NETLOGON_NT_VERSION_IP
>                0: NETLOGON_NT_VERSION_LOCAL
>                0: NETLOGON_NT_VERSION_GC
>         lmnt_token               : 0xffff (65535)
>         lm20_token               : 0xffff (65535)
> finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc
> [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: 
> [jsonserver_session] ad...@idm.test.net: 
> group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain 
> Users',), version=u'2.228'): SUCCESS

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to